Disclosure of information

Over the past few days I have received a number of emails in relation to a password reset from our JIRA installation. Initially the emails where in relation to a password reset for the admin account but then they were in relation to my own account which was worrying. We have noticed that my username has then been used to perform a brute force attack on various other web applications that we host.

I have discovered that the hacker requested the following URL: /jira/secure/IssueNavigator!executeAdvanced.jspa which results in an issue navigator screen with no information however when the manage option is selected it shows a list of user created filters and this shows the Owner's name and username.

Can this disclosure of information be prevented?

Are there other pages which users can access without being logged in and could potentially disclose information?

2 answers

If you have not done so, please contact support. There are security related tools that can access to pages, but they are only as good as the person designing the test cases.

Here is an url what Atlassian does when security vulnerbilities are found.


Suggest an answer

Log in or Join to answer
Community showcase
Louis De Jaeger
Posted yesterday in Off-topic

Friday fun: your best joke

Hi all Lets make this Friday fun really fun and post one (or more) of your best jokes! The joke can be about an Atlassian product, or just a really fun joke you want to share! I’m not the best j...

145 views 12 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot